Assura’s specialty is in the area of risk management convergence – that is developing processes and tools that provide our clients with deliverables that provide greater insight to their risk posture while addressing multiple areas of compliance. This saves our clients money and time because they no longer have to conduct multiple overlapping data gathering, analysis, and reporting efforts. This is evidenced by the fact that Assura helped the Virginia Department of Aviation implement an Enterprise Risk Management (ERM) program, the first in the nation for a state agency. We are currently helping the Virginia Department of Alcoholic Beverage Control with the development of their ERM program.
The equivalent of an ERM program relative to IA and Federal Information Security Management Act (FISMA) compliance would be found in National Institute of Standards and Technology (NIST) Special Publication 800-39, “Managing Information Security Risk: Organization, Mission, and Information System View”. Special Publication 800-39 is based largely on ISO/IEC Standard 31000, which is the standard we use to assist our clients with the development and implementation of their ERM programs.
Our Risk Assessment methodology, called Calibrated Risk Index® (CRI) is compatible with NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems”, and can use the controls catalog in Special Publication 800-53. CRI is a risk assessment methodology that provides both quantitative and qualitative articulation of risk using a scientific approach to analysis and assessment. It is designed to be repeatable so that individual biases are removed from the results.